Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tvr identity gtri

581 views

Published on

Cisco Identity Overview

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Tvr identity gtri

  1. 1. Cybersecurity:Identity and Access Control
  2. 2. Federal Identity and Access What is Cisco’s Role?
  3. 3. Disciplines of Security: Identity Is the Base Information Access Control Audit Sharing Encryption Forensics Threat Mitigation Threat Migration Data Leakage Availability Policy/ Non-Repudiation Inventory Governance
  4. 4. Customer Challenge in Building an Access Policy in a Borderless Network Common questions organizations ask Authorized Guest Non-User Access How can I restrict Access Devices access to my network?  Can I allow guests  How do I discover Internet-only access? non-user devices? Can I manage the risk of using personal PCs?  How do I manage guest  Can I determine what access they are? Common access rights when on-prem, at  Can this work in  Can I control their home, on the road? wireless and wired? access? Endpoints are healthy?  How do I monitor guest  Are they being spoofed? activities?
  5. 5. Five Aspects of IdentityWho are you? What is on your Network?Are you compliant?Where can you go?What service level do you receive?What are you doing?
  6. 6. Federal Government Requirements DISA STIG on access control in Support of Information Systems (Dec 2008) (AC34.025: CAT 1) The IAO/NSO will ensure either MAC security with profiling) or 802.1X port authentication is used on all network access ports and configured in accordance with the Network Infrastructure STIG. Recommended Security Controls for Federal Information Systems (NIST 800-53) “The information system typically uses either shared known information … or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication)”
  7. 7. Why 802.1X? Industry- Most secure Complements Provides standard user/machine other switch Easier to foundation forapproach to authentication security deploy additional services identity solution features (e.g., posture) 15
  8. 8. How Does 802.1X Work? Authenticator Switch, router, WAP Identity Store/Management Active directory, LDAP Layer 3 Layer 2Request for Service Back-End Authentication Identity Store (Connectivity) Support Integration Authentication Server RADIUS server Supplicant
  9. 9. Cisco Identity Differentiators  Cisco-only Features  Open Mode – Wake-on-LAN support, PXE boot, Ease of Deployment  Flexible Authentication (Flex-Auth) – Legacy Device Support  Multi-Domain Authentication (MDA) – Securely daisy-chain systems behind VoIP phones  ACS 5 Scalability - Top-Down Visibility & Centralized Reporting for Authentication and Authorization  TrustSec – Security Group Tags  Other Enhancements  802.1AE – Hop-by-hop encryption included in TrustSec  More Robust Supplicant than built-in Windows supplicant  Identity-Aware Product Roadmaps – more to come!  HBSS support and provides a layered-approach to endpoint security
  10. 10. Identity Deployment Phases Monitor Mode Low Impact Mode High Security ModePrimary Features Primary Features Primary Features Open mode  Open mode  Traditional Closed Mode Multi-Auth  Multi-Domain  Dynamic VLANs Flex Auth (Optional)  Port & dACLsBenefits Benefits Benefits Unobstructed Access  Maintain Basic Connectivity  Strict Access Control No Impact on Productivity  Increased Access Security Gain Visibility AAA Logs  Differentiated Access
  11. 11. Building on the Foundation of Identity Role-Based Data Integrity and Network Virtualization Access Control ConfidentialityTrustSec  Network topology-  Hop-to-hop data protection  Path Isolation independent  Preserves network L4–L7  Central Policy Enforcement  Scalability via tagging service value Profiling Services Guest Services Posture Services NetworkAdmission Control  Device profiling  Guest and sponsor portals  Managed device posture  Behavioral monitoring  Role-based AUP  Unmanaged device scanning  Device reporting  Provisioning and reporting  Remediation Identity InfrastructureIdentity-Enabled  User and device authenticationNetworks  Control network access (L2 and L3)  Device mobility in the network

×